IT Audit School

Seminar: ID# 1264203

Agenda

1. Introduction To IT Audit

• Audit Objectives And Requirements
• Role Of IT Within The Organization
• Management And Security Risks In An Automated Environment
• What Is A Control?
• Internal Control Defined
• Processes And Control Points
• Physical Space Vs. Logical Space
• Identifying Control Points

2. Planning The IT Audit

• Definition Of Internal Audit
• Objectives Of An IT Audit
• IT Audit Strategies
• What Is An Application
• Application Vs. General Controls
• IT Audit Control Reviews
• IT Control Categories
• The Audit Deliverable
• Building The Audit Team

3. Auditing Organizations And Standards

• Maintaining Audit Objectivity
• What Is A Standard?
• AICPA And SAS
• GAO And Other Certification Organizations
• The Institute Of Internal Auditors (IIA)
• The Treadway Commission
• COSO Integrated Framework
• ISACA And The IT Governance Institute
• COBIT®: Control Objectives For Information And Related Technology
• ISO 27002 Security Standard

4. Information Technology Basics

• Computer Hardware And CPU Operation
• Two Different Classes Of Computers
• Software, Programs, And Processing
• Distributed Systems And Client/Server Technology
• The Open Systems Interconnection (OSI) Model
• Maintenance And Security

5. Network Technology And Controls

• Networking Risks
• Auditing Networks
• What Is A Network?
• Lans, Wans, And Mans
• Physical Network Media (Cables)
• Cabling Audit Objectives
• LAN Protocols
• WAN Connectivity And Protocols
• MAN Protocols
• LAN/WAN/MAN Audit Objectives
• Network Devices
• Network Device Audit Objectives
• Complete Networks
• The Internet
• Intranets And Extranets
• Risks Of Internet Use For Business
• Using Firewalls
• Internet Communications
• Internet Protocol (IP) Addressing
• Service (Process) Addressing
• Internet Applications
• The World Wide Web (Www)
• Web Page Technologies
• Internet Audit Objectives

6 Shared General And Application Controls

• Logical Security
• Data Classification
• Logical Access Controls: System Access
• Encryption: Information Access
• Remote Access, Pcs, And Mobile Devices
• Information Security Management
• Change Management
• Change Management Objectives
• Program Change Control
• Patch Management
• Software Licensing
• Business Continuity/Disaster Recovery
• BCP/DRP Defined
• Business Impact Analysis (BIA)
• Disaster Recovery Strategy
• Maintaining The Plan
• System Development Technologies
• SDLC, RAD, ERP Purchases
• Internal Audit Involvement
• Audit Strategy

7. Database Technology And Controls

• Managing Information
• The Program
• Centric Model
• Program
• Centric Audit Concerns
• The Data
• Centric Model
• What Is A Database?
• Database Terminology
• Database Management Systems (DBMS)
• Types Of Databases
• Database Audit Concerns

8. Infrastructure General Controls

• Operations Controls
• IT Operations
• Operating System Controls
• System Utilities
• System Software Controls: A Review
• Physical Security
• Environmental Controls

9. Business Application Transactions

• Objectives Of An Application Audit
• What Is A Transaction?
• Transaction
• Based Application Auditing
• Transaction Life Cycle
• Application Risk Assessment Factors
• Establishing Audit Priorities

10. Top-Down Risk-Based Planning

• Planning The Application Audit
• Top
• Down, Risk
• Based Planning
• Defining The Business Environment
• Determining The Application’s Technical Environment
• Performing A Business Information Risk Assessment
• Identifying Key Transactions
• Developing A Key Transaction Process Flow
• Evaluating And Testing Application Controls

11. Data Input And Processing Models

• Comparing Pros/Cons Of Input And Processing Models
• Batch Input/Batch Processing
• On
• Line Input/Batch Processing
• On
• Line Input/On
• Line Processing
• Real
• Time Input/Real
• Time Processing

12. Application Controls

• Business Applications
• Information Objectives
• COSO: Application Controls
• Business Application Auditing
• Application Transaction Life Cycle
• Transaction Origination
• Logical Security
• Completeness And Accuracy Of Input
• Completeness And Accuracy Of Processing
• Completeness And Accuracy Of Output
• Output Retention And Disposal
• Data File Controls
• User Review, Balancing, Reconciliation
• End
• User Documentation
• Training
• Segregation Of Duties
• Business Continuity Planning
• Sarbanes
• Oxley Application Control Requirements

13. Testing Application Controls

• Testing Automated And Manual Controls
• Testing Alternatives
• Testing Sample Size
• Sampling Terminology
• Negative Assurance Testing
• Types Of Audit Evidence
• Functional/Substantive Testing
• Computer Assisted Audit Techniques (Caats)
• Data Analysis: Planning And Data Verification
• Sarbanes
• Oxley: Testing Requirements And Examples

14. Documenting Application Controls

• Evaluating And Documenting Internal Controls
• Internal Control Questionnaires
• Narratives
• Flowcharts / Process Flows
• Control Matrix

15. End-User Computing

• Growth Of End User Computing
• End User Computing Risks
• General IT Control Risks
• Change Control Risks
• Purchased Applications Risks
• Spreadsheets: Typical Errors
• Spreadsheet Risk Factors
• Practical Steps For Evaluating Spreadsheet Controls